01whitec2 Posted November 14, 2005 Share Posted November 14, 2005 I keep getting messages from my task bar saying: "Your computer is infected! Windows has detected spyware infection. It is recommened to use special antispywater tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you. Click here to protect your computer from spyware" AVG coundnt find anything.. Any help? 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 hi, post a hijackthis log- i take it your desktop has been hijacked. Spyaxe IS a desktop hijacker.... don't download it- its gonna give you a lot more problems. and it's a rogue. Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 Logfile of HijackThis v1.99.1 Scan saved at 18:07:20, on 14/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] C:\WINDOWS\system32\ZoneLabs\vsmon[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\WINDOWS\system32\mssearchnet[Caution: ExecutableFile] C:\WINDOWS\system32\nvctrl[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile] C:\WINDOWS\SOUNDMAN[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile] C:\Program Files\Microsoft Office\Office\1033\OLFSNT40[Caution: ExecutableFile] C:\PROGRA~1\MOZILL~1\FIREFOX[Caution: ExecutableFile] C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile] C:\Program Files\mIRC\mirc[Caution: ExecutableFile] C:\Program Files\WinRAR\WinRAR[Caution: ExecutableFile] C:\DOCUME~1\Chris\LOCALS~1\Temp\Rar$EX00.750\HijackThis[Caution: ExecutableFile] O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp754A.tmp O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile] O4 - HKLM\..\Run: [soundMan] SOUNDMAN[Caution: ExecutableFile] O4 - HKCU\..\Run: [CTFMON[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl[Caution: ExecutableFile] O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9[Caution: ExecutableFile] O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40[Caution: ExecutableFile] O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7685548812 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile] O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon[Caution: ExecutableFile] 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 Please can you extract all your HiJack this files to a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible. then post a new log. BTW not desktop. is your AVG up-to-date? if not then update it and scan it in safemode. Trojan.Zlob.D Trojan mssearchnet[Caution: ExecutableFile] is registered as the Generic Downloader.aa and Trojan.Zlob.D Trojans. This process usually comes bundled with a virus and itÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢s main role is to do nothing other than download other viruses to your computer. Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 Um ok.. this better? Logfile of HijackThis v1.99.1 Scan saved at 18:17:10, on 14/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] C:\WINDOWS\system32\ZoneLabs\vsmon[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\WINDOWS\system32\mssearchnet[Caution: ExecutableFile] C:\WINDOWS\system32\nvctrl[Caution: ExecutableFile] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile] C:\WINDOWS\SOUNDMAN[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile] C:\Program Files\Microsoft Office\Office\1033\OLFSNT40[Caution: ExecutableFile] C:\PROGRA~1\MOZILL~1\FIREFOX[Caution: ExecutableFile] C:\WINDOWS\system32\wuauclt[Caution: ExecutableFile] C:\Program Files\mIRC\mirc[Caution: ExecutableFile] D:\chris\hijackthis\HijackThis[Caution: ExecutableFile] O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp754A.tmp O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc[Caution: ExecutableFile] /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck[Caution: ExecutableFile] O4 - HKLM\..\Run: [soundMan] SOUNDMAN[Caution: ExecutableFile] O4 - HKCU\..\Run: [CTFMON[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile]" /background O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader[Caution: ExecutableFile] O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl[Caution: ExecutableFile] O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9[Caution: ExecutableFile] O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40[Caution: ExecutableFile] O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 7685548812 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc[Caution: ExecutableFile] O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr[Caution: ExecutableFile] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc[Caution: ExecutableFile] O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc[Caution: ExecutableFile] O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon[Caution: ExecutableFile] It looks the same tho? 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 i can see at least one bad O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp754A.tmp have you ran your avg? and has your destop been hijacked? that line is like the smithfraud.c (infact the cslid is, as for the filename thats random) http://www.sophos.com/virusinfo/analyses/trojpuperg.html run your avg then run these to double check if it is the smitfraud. Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply) +++++ If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro. does your desktop look like this by any chance? http://img45.imageshack.us/my.php?image=adwaresmitfraudimg13ni.gif Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 Hmm... I ran my pc is safe mode, and didthe avg scan, and now the message doesnt come up :? 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 you ran HJT in safemode? if you did i need one in normal mode. Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 No I ran ad-aware in safe mode... And the message is back :cry: 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 where are the results from the online scan? can u post a screen shot about the message. I heard about this a few months ago at the McAfee forums but i can't seem to find the posts... Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 Um just getting the results from online test... heres the message that comes up.. If I click on the message it links to spyaxe.com 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 yeh it should be a trojan but i need the scan results :) looking forward to it (hope it comes clean) Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 Right I looked on another website where someone had a past case of this... They told me deleted the: O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp754A.tmp And also to remove: mssearchnet[Caution: ExecutableFile] nvctrl[Caution: ExecutableFile] I removed them, and so far so good 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 argh spoke to soon its back :? :cry: :x 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 D'OH! I was afraid of that :roll: ok nvm then i knew it was a bad idea telling you the bad line sooo early.... if it was the smitfraudc you need a fix for the reg on top of that.... ok post a new log and the scan results so we can see what else still needs to be fixed :roll: *edit* ok still post a new hjt and the scan logs. i got a bad feeling this might take a bit longer than planned.... Link to comment Share on other sites More sharing options...
01whitec2 Posted November 14, 2005 Author Share Posted November 14, 2005 uh... Wish I knew it was this simple.. SpyAxe didnt intend for this.. They've put up uninstallers, and well they do what they say, unintall it :D So I believe it all over now 100+ Combat :: 100+ Members :: 107 Combat Average-{Click sig to join Heroes of the Future}- Link to comment Share on other sites More sharing options...
coltm4carbine Posted November 14, 2005 Share Posted November 14, 2005 yeh but i never ever trust them. well see if that works if it does then cangrat! you might wanna see if you have any updates to do- it shouldn't of gone into ur comp in the first place. least your desktop didn't get hijacked fully if it did it would of been a real pain to remove. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now